Replace the Platform Services Controller Certificates in Region A

<

You replace the machine SSL certificate on each Platform Services Controller instance with a custom certificate that is signed by the certificate authority (CA).

About this task

Since the Platform Services Controller instances are load-balanced, the machine certificate on both instances in the region must be the same. The certificate must have a common name that is equal to the load-balanced Fully Qualified Domain Name (FQDN). Each Platform Services Controller FQDN and short name, and the load balanced FQDN and short name must be in the Subject Alternate Name (SAN) of the generated certificate.

You must repeat this procedure twice: first on the Platform Services Controller for the Management vCenter Server, and then on the Platform Services Controller for the Compute vCenter Server.

Table 1. Certificate-Related Files on Platform Services Controllers

Platform Services Controller

Certificate File Name

Replacement Order

mgmt01psc01.sfo01.rainpole.local

sfo01psc01.sfo01.key

sfo01psc01.sfo01.3.pem (CertGenVVD)

sfo01psc01.sfo01.chain.cer (Manual)

chainRoot64.cer

First

comp01psc01.sfo01.rainpole.local

sfo01psc01.sfo01.key

sfo01psc01.sfo01.3.pem (CertGenVVD)

sfo01psc01.sfo01.1.chain.cer (Manual)

chainRoot64.cer

Second

Procedure

Log in to vCenter Server by using the vSphere Web Client.

Open a Web browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.

Log in using the following credentials.

Setting

Value

User name

administrator@vsphere.local

Password

vsphere_admin_password

Disable the Platform Services Controller for the shared edge and compute cluster comp01psc01 in the load balancer to route all traffic to the Platform Services Controller for the management cluster mgmt01psc01.

From the vSphere Web Client Home menu, select Network & Security.

In the Navigator, select NSX Edges.

From the NSX Manager drop-down menu, select 172.16.11.65.

Double-click the SFO01PSC01 edge device to open its network settings.

On the Manage tab, click the Load Balancer tab and click Pools.

Select pool-1 and click Edit.

Select the comp01psc01 member, click Edit, select Disable from the State drop-down menu and click OK.

Repeat Step 14 to restart the services on the Compute vCenter Server comp01vc01.sfo01.rainpole.local in Region A and on the vCenter Server instances mgmt01vc51.lax01.rainpole.local and comp01vc51.lax01.rainpole.local in Region B.